The network is the probe

15/06/2017 8:47:09 PM · 246 words · about a minute

A typical approach when doing network security is the classical "Install the software probe" on the system that you want control, it connects to the "central server" and it does its stuff. While this is needed in certain cases, it is an overkill when tracking network traffic.

When writing Fl0wer, the idea was simple: I don't want people to install stuff on all of their systems, it takes time, resources, you have to maintain software, upgrades, fixes, in a word: why ?

The concept behind Fl0wer is that the network itself is the probe. You install only a single instance of Fl0wer in your network and configure your network devices to inform Fl0wer of the traffic that is happening, using one of 4 available protocols (Netflow V1, V5, V9 or IETF/IPFIX).

And one added benefit of this approach is that if a system is compromised by an attacker, he does not even have a clue that is being tracked by Fl0wer. Yes, if he's good he could compromise the network device, but it takes time and you'd probably notice it ! Remember, the real battle is not if he will manage or he will not manage to use your vulnerabilities, it's how fast you respond and how fast he acts.